@jrey its doesn't need cas you don't have off of... My point was just delete them if they are expired.. And CAs that acme needs to renew your certs will just get added back anyway.

@johnpoz Yes indeed!!! Love to listen/watch the moments when they're picking the next song in the set...in this case a quick word between Jer & Bob, but then Jer's smile as the drummers take off, good stuff! These days I keep hearing Throwing Stones. --Larry

@accidentallyadmin Looking at posts here and Reddit looks like simply deleting ISRG Root X1 and the renewing certificates works fine.

@LarryFahnoe yep. I’ve switched away from Haproxy and acme on pfsense due to needing more power under the hood and security reasons. BIND9 with 2 Nginx Reverse Proxy and RFC2136 works well. Regards.

@PierreFrench Like this : How do I renew this Certificate Athority ?

UPDATE: Yes, updating to 24.03 and Acme 0.8_1 seems to have resolved this problem. I didn't try upgrading Acme on its own first.

@oguruma When you renew manually, by clicking on the [image: 1724224981414-fff4a4e1-f2ba-4d77-a65d-108b5f195d92-image.png] button, after a while (DNS Sleep setting) you will see a green box/recap. Succes at the end ? When you check, for example here : System > Certificates > Certificates did you find the cert with new start and end dates ? You see the same info here : [image: 1724225077773-222f4321-96d9-4d22-ab91-3aac33350769-image.png]

@cemsonmez the issue solved. Almost nothing has been done to fix this. It is all about dns updates. I have waited some time It updated and now certificate is issued.

Resolved Found some documentation on Let's Encrypt (I really though the CA change would be handled automatically, apparently not) What I did was grab the pem they have listed, create a new CA with the same name, paste the pem and save the new CA The chain "Certificates" immediately changed to the new CA removing the count of 1 from the Sept 2024 soon to expire CA and assigning it to the new one (likely would have been fine to just replace the cert pem data in the original and update it.) [image: 1723820021764-screen-shot-2024-08-16-at-10.49.12-am.png]

@thezfunk Your nearly done, I guess. You saw it : https://github.com/acmesh-official/acme.sh/wiki/dnsapi#dns_namecheap And of course the namecheap acme.sh documentation. Fill in the domain name, like "pfsense.domain.tld" (you rent domain.tld - right). The the API key Get the user name. My advice : set DNS Sleep to "120" seconds. And you should be good. For namecheap stories, use the forum search button, and search in the pfsense acme.sh sub forum. Not this one, as for some reason you posted here but the question isn't "General" at all, and acme has its own forum dedicated to the acme.sh package - let me highlight it for you : [image: 1722407091393-a77c8154-d11f-4a80-97da-41bbddf6913f-image.png]

@Hyperion said in Where to DL acme cert manually?: I have no internet connection on that Netgate and want to download Download without an Internet connection .... @Hyperion said in Where to DL acme cert manually?: and install the packages manually. Experts have tried this. Guess they haven't a connection neither : they never came to post here on the forum about their finding. The (FreeBSD) build in pkg, the packet manager, could be used to install FreeBSD packages, but pfSense package : you need the GUI. I hope to be wrong of course. @Hyperion said in Where to DL acme cert manually?: Does anyone know a URL source where I can download the needed certificates and install them manually via Terminal/Shell within pfSense Can't you just connect to the GUI and install the cert ? pfSense is GUI driven.

Hi, I went through several rounds of testing and I beleive that this is a bug somewhere in pfsense, stunnel. Currrently: The web interface of pfsense uses the sames cetificate without issues Stunnel with the same certificate fails on pfsense (Error resolving "r11.o.lencr.org": Address family for nodename not supported (EAI_ADDRFAMILY)) Installing stunnel 5.68 on a Debian 12.5 the same certificate (pem file compied from pfsense) works wihtout issues.

@bmarkel This did help a little. After saving the changes and attempting to Issue/Renew again the screen refreshed with the ACME certbot messages giving me a partial error. Trying to simplify the issue I created a fresh certificate using Let's Encrypt Staging but the errors have been similar.

@aes4096 said in ACME IP address or domain: I can use the DNS method or purchase a Wildcard certificate with subdomain protection, which is more expensive. If you can use a DNS Method you can ask a wildcard certificate. Letsencrypt will still be free of use. If you own( = rent) a domain name, you control the domain. You are the only one being able to create sub domains. I can proof that : try creating aes4096.microsoft.com : good luck ^^

@jcubillo Oh ... great. I guess they want to stop being the registrar for 'everybody'.